Decrypt Amnesia ransomware with Emsisoft’s free decrypter

Decrypt Amnesia ransomware with Emsisoft’s free decrypter

decrypter_amnesia_ransomware_banner

Update (June 1st, 2017): Our Lab team has updated the Amnesia decrypter to support the newer variants. If you had issues previously, head to decrypter.emsisoft.com/amnesia2 and download the latest version (1.0.0.41).

Today, Emsisoft CTO and Malware researcher Fabian Wosar released a free decrypter for a new Delphi-based ransomware called “Amnesia”, which began to appear on 26th April 2017.

How the Amnesia ransomware works

The main infection vector of Amnesia appears to be via RDP (remote desktop services) brute force attacks, which allow the malware author to log into the victim’s server and execute the ransomware.

Once the criminals have access, the malware will delete the system’s recovery points so shadow copies cannot be used to recover the files once encrypted. It will also copy itself into the %APPDATA% directory using the file name “guide.exe” and register itself within the “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce” key to start automatically during the next boot.

Since Amnesia ransomware does not contain an extension list, it will encrypt all file types on the machine. It does, however, exclude C:\WindowsC:\Program Files and various other folders from the encryption operation, so that boot operation and other critical processes are not impacted.

Amnesia encrypts up to the first 1 MB of files using AES-256 encryption in ECB mode. Once the files are locked this way, the malware will append the “.amnesia” extension to them.

How Amnesia ransomware victims are supposed to pay

Amnesia victims are asked to contact the malware author via email to “[email protected]”.

How to remove Amnesia ransomware encryption using the Emsisoft decrypter

As explained in our thorough ransomware removal guide, it’s critical to follow the right steps when dealing with and removing ransomware. We suggest to read it before attempting any hasty removal attempts.

For infected users that have verified the ransomware type and are just looking for the decrypter, you can download it for free on Emsisoft’s decrypter site:

  • Amnesia (1.0.0.33): covers the initial variants prior to June 1st, 2017
  • Amnesia2 (1.0.0.41): covers all the latest variants

Have a great (ransomware-free) day!

  • BEzzell

    Will you be releasing a new version of the amnesia removal tool any time soon? Would a new version be successful where the current version is not?

  • BobbyJ

    Does not seem to be working with the most recent version of Amnesia. Will you be putting out a new version? Would be happy to pay for an update.

  • Tony Faiers

    Thanks for the superb software which appears to decrypt most files although it does fail on some stating that it cannot find the correct key, these seem to be ‘non-standard’ files, such as a .MDF file. Does the software not find one global ‘decrypt’ key that then allows it to decrypt all of the other files as it seems to have to work out a new decryption for each file it finds and there are hundreds, possibly thousands on the computer I’m trying to help repair which is going to take months to decrypt?

    • Fabian Wosar

      Amnesia2 creates a different key for every file. Therefore every file has to be broken separately. In addition, if file names aren’t encrypted, then the decrypter falls back on file format detection. Obviously no matter how many file formats we detect, there will always be some more file formats, we don’t. If there are some mission critical files you need, please send me one unencrypted file of that format and I will see if I can extract enough information from them to allow the file format analysis to recognise it.

      • Adam

        Thank you for the tool!

        Is it possible to decrypt brute force with GPU rather than CPU ? Some files dont decrypt some do, with thousands will take months as stated.

  • Paul

    Hi, so far version2 has decrypted every file it attempted to decrypt, but it has not tried to decrypt a lot of the files in the same folder, why is that, no errors it jsut ignores them, nothing in the logs either?

  • Antonio Di Russo

    Thank you guys for this tool! Unfortnately it couldn’t decrypt a short .txt file containg sensible informations…
    We got a variant of this virus that calls itself FROGO which encrypts only files with particular extensions.
    If someone could help it would be appreciated!

    • Mostafa ElDeeb

      Hi, Have you found any solution for that sir, cause I’m facing the same problem

      • Antonio Di Russo

        Unfortunately I didn’t. There is a long sequence of numbers appended to the file, maybe that’s the way the decryptor the hackers provide uses it to retrieve the key used to encrypt the files.

        • Mostafa ElDeeb

          Ok, Thank you for your time :)

          • Antonio Di Russo

            You are welcome!

  • SB

    I just want to add my thanks to the list. We got hit this weekend with Amnesia and the Amnesia2 utilitity is hard at work. By estimation it will take 3 days or so to bring back the important stuff and everything else we either dont care about or have backups. All our sons medical records have been encrypted and are on their way back again. Thanks for giving us a second chance at our files.

  • A.C. Buehler

    Some of the decryption is going well. I am having problems getting any .db files to work. I am using the 1.0.0.49 version. Any thoughts?

    • Fabian Wosar

      The decrypter probably doesn’t know the file format. If you send in a few unencrypted .db files so I can see if I can add format recognition somehow, I will gladly update the decrypter if possible.

      • A.C. Buehler

        Fabian: Thank you! How do you want me to post them to you? I rally appreciate it!!

        • A.C. Buehler

          I just found it and posted it on your upload page. A.C.

          • A.C. Buehler

            Emailed the same to your email address shown above. Thanks!

  • Dave Tuggle

    Hey there – Thanks for a great product. I am using version 2 of the decryptor and it did in fact decrypt two of the flies I had encrypted. The problem is that after the first file was decrypted it took a very long time to get to the next and decrypt it. It would seem to me that after it “cracked” the first that the rest would fall like Domino’s – Is that not the case? If it has to move at this rate then it’ll take a year to do all of these… Can someone please advise on this? Perhaps I’m missing something in the instructions. If this works, I will gladly donate to your cause here as this is a fantastic service.

    • Fabian Wosar

      Every file is encrypted with a different key. The decrypter tries to reuse what it learned from a previous file to decrypt the next file. However, that is only possible if the files’ order hasn’t been changed. The problem is that when the file name is encrypted as well, the order ultimately changes. Since the timestamps are manipulated by the ransomware, it is also impossible to reconstruct the order based on those. For the time being, you will unfortunately have to wait it out.

      • Dave Tuggle

        Thanks Fabian for the quick response – Considering my billing rates to the customer and the number of files encrypted I think we might be best to pay the ransom (backup was also encrypted) – Believe me, nothing pains me more to say that but these are critical files that I can’t have down for a week while the application works to decrypt them on an older CPU. I was under the wrong impression that it would be the same decryption key across the board so thank you for clearing that up.

  • Jim Fus

    I was infected with the amnesia ransome ware and have successfully decrypted some of my files. I have now a month later tried to go back and decrypt more files and they will not open. It does decrypt the files but when I try to open them it says it is not a supported file format. ( pdf ). anything I could try?

  • Jim Fus

    I was infected with the amnesia ransome ware and have successfully decrypted some of my files. I have now a month later tried to go back and decrypt more files and they will not open. It does decrypt the files but when I try to open them it says it is not a supported file format. ( pdf ). anything I could try to fix this problem?

  • Geoff Gordon

    I am also stuck with the slowness of having to find a unique key for each file. My file names are not encrypted, but it is very very slow for each file. I have hundreds of thousands of files and don’t know if there is a better way to do this. I tried to do a restore from backup, but copying those files is a slow process as well and confusing because it doesn’t overwrite the infected file.

    They want ~$521 for ransom. Has anyone had success with that? Are they able to restore much more quickly?

    Thanks.

  • Michael Fenimore

    This past weekend a client’s Server 2003 SQL machine was hit with what appears to be the amnesia ransomware virus.
    However, from what I’ve gleaned about this one is it hits files over 1MB in size? Correct?
    But the files I’m seeing with the *.amnesia issues are much less. Like in the 100kb range and higher.
    The email address has also been changed in the text file. [email protected] is what’s listed and asking for .2 bit coins (~$500)
    The other issue is that the “original” file name is much less in file size. Most of them are 1KB files with the .amnesia files much larger.
    Is this a new variant?
    I really need to get this fixed. It is an animal shelter and their database system is inaccessible.

    Thanks for any pointers.

    – Mike